Post on 03-Jun-2018
The Breach In Your Pocket
Compliance Amidst the Risks From
Portable Devices and Social Media
1
Justin P. Webb
jwebb@gklaw.com
Agenda
• Mobile Device Risks
• HIPAA Security Rule Requirements
• Guidance on Mobile Device Security
• Social Media Risks
• Examples of Social Media Fails
• Social Media Risk Mitigation
• Conclusion
2
Mobile Device Risks
• Between January 2015 – October 2017: − 71 breaches reported to OCR that have involved
laptops, smartphones, tablets, and portable storage devices, involving 1,303,760 patient and plan member records
− 17 of those breaches resulted in the exposure of more than 10K records
− Largest breach: ~698K records
Source: Tips for Reducing Mobile Device Security Risks, HIPAA JOURNAL, available at https://www.hipaajournal.com/mobile-device-security-risks/.
3
Mobile Device Risks
4
Source: Mimecast Healthcare Provider Survey,
https://www.mimecast.com/blog/2017/12/email-the-biggest-source-of-data-breach/
Mobile Device Risks
• Devices
− USB Sticks, removable hard drives, SSDs
− Smartphones, tablets, PDAs
• BYOD or Corporate owned?
− Medical technology/devices that include tablets, iPads, etc. (anything that isn’t nailed down)
• OCR Cybersecurity Newsletter, Oct. 2017
− Entities regulated by the HIPAA Privacy, Security, and Breach Notification Rules “must be sure to include mobile devices in their enterprise-wide risk analysis”
5
Mobile Device Risks
• Common Areas of Concern (and Breaches) − Lost/Stolen/Misplaced mobile devices and removable
media • E.g. - Children’s Medical Center (Dallas)
– Loss of unencrypted, non-password protected Blackberry; also lost unencrypted USB stick – $3.2M OCR CMP, announced Feb. 1, 2017
− Lack of encryption of mobile devices and removable media
− Storage of PHI/PII/Confidential Information locally on the device, in third-party apps, or with cloud storage providers (iCloud, Google Drive, Box, Dropbox, etc.)
6
Mobile Device Risks
• Common Areas of Concern (and Breaches) (Cont.)
− Lack of complex passcode on mobile device or short timeout for screen lock
− Records created on mobile devices could be part of the EHR
• Are those records centralized with audit logs?
− Failure to remove PHI before decommissioning device
− Lack of Two-Factor Authentication
7
Mobile Device Risks
• Less Top of Mind, But Very Important Areas of Concern: − Applications/functionality on mobile device
• Whitelisting? Blacklisting?
• Should users have the ability to take/send/post photos when on corporate network or during work hours?
• Functionality restrictions
− Free Wifi/Malicious Wifi (e.g. fake “attwifi”) • Devices automatically connect
− Mobile Malware • Password stealer, data exfiltration, jumping-off point to larger
breach
• Mostly an Andriod problem, but often an unpatched iPhone problem
8
Mobile Device Risks
• Less Top of Mind, But Very Important Areas of
Concern (Cont.):
− Storing passwords in browsers or in documents on a
mobile device
• Including the password to company systems
− Malicious mobile apps
• What are you allowing applications to access –
contacts, photos, device information, local file storage
− Bluetooth vulnerabilities
9
Mobile Device Risks
• Less Top of Mind, But Very Important Areas of Concern (Cont.):
− Some email attacks (Phishing, fake login pages, etc.) are exacerbated by mobile devices
• Rush to read an email (less attention given), inability to hover over URL = more likely to click and be duped
− Some attacks are targeted at mobile devices
• Smishing (to go along with Phishing and Vishing)
• Expect this number to increase substantially
• iOS has code review, which acts as buffer, but things do slip through
10
Mobile Device Risks
• Less Top of Mind, But Very Important Areas of Concern (Cont.):
− Two-factor authentication is not foolproof • I obtain your password from a data breach
• I login to your email and set up rules so you don’t see certain emails
• I then login to your mobile device carrier (same password, of course), order a new device, activate it
• Then on a site with two-factor authentication which sends text notifications, I receive the code to the new phone and I win
11
HIPAA Security Rule
Requirements
• HIPAA Security Rule – Administrative Safeguards
− Risk Analysis
• 45 CFR § 164.308(a)(1)(ii)(A) – CE or BA must conduct
an accurate and thorough assessment of the potential
risks and vulnerabilities to the confidentiality, integrity,
and availability of electronic protected health
information held by the [CE] or [BA]
− Risk Management
• 45 CFR § 164.308(a)(1)(ii)(B) – Implement security
measures sufficient to reduce risks and vulnerabilities
to a reasonable and appropriate level
12
HIPAA Security Rule
Requirements
• HIPAA Security Rule – Physical Safeguards
−45 CFR § 164.310(d)(1) – Implement policies and
procedures that govern the receipt and removal of
hardware and electronic media that contain PHI
into and out of a facility, and the movement of
these items within the facility
• HIPAA Security Rule – Technical Safeguards
−45 CFR § 164.312
• Encryption, automatic logoff, transmission security
13
HIPAA Security Rule
Requirements • Enterprise Risk Analysis & Risk Management
− Differs dramatically depending on corporate devices vs. BYOD
− Differs dramatically depending on presence of MDM (Mobile Device Management)
− Differs dramatically depending on $$ available
− Part of risk analysis is cost of security upgrade vs. compliance cost vs. semi-quantifiable non-compliance risk
14
Guidance on Mobile Device
Security • Considerations:
− Mobile devices increase the attack surface
− Hard to control disparate operating systems at disparate levels of update
− Would you even know if there was a breach of a mobile device, other than an employee reporting a device lost/stolen?
− Would you be able to determine how much PHI was on a mobile device, to make a proper HIPAA breach notification?
15
Guidance on Mobile Device
Security
• Considerations:
−Over focus on egress, when considerable risk on
ingress side
• Rogue mobile devices on guest Wifi
• Plug devices into network on-site, or USB into PC
16 Source: https://www.pwnieexpress.com/mr-robot-pwn-phone
Guidance on Mobile Device
Security
• Highlights:
−CE’s should have a mobile device or similar policy
• Define what resources can be accessed, what
devices are permitted, how much access allowed,
how devices are provisioned
−Develop risk analysis and threat models for
mobile devices and the resources that are
accessed through the mobile devices
17
Guidance on Mobile Device
Security • Highlights:
−Consider the merits of security services, applications, and systems
• Enterprise security measures like managing Wifi interfaces, and monitoring policy violations
• Encryption and remote wipe capabilities
• Automatic logoff, resetting forgotten passwords remotely, auto-lock after specific time, strong passcodes
• Restricting apps, defining app permissions, updates, sync services, digitally signed apps, organization app store
18
Guidance on Mobile Device
Security
• Highlights:
− Test a pilot of mobile device solutions before putting it
into production
− Fully secure organization owned mobile devices
• Really no excuse for insecure corporate-owned devices
− Interview representative cross-section of employees
about their actual use of mobile devices to understand
risks, workarounds, concerns
19
Guidance on Mobile Device
Security • Highlights:
− Mobile Devices require remote access
• How is that secured?
– Two-factor authentication, RSA Key?
• VPN vs. Limited Citrix Environment vs. Virtual Desktop Infrastructure (understand the risks of each and implement security measures commensurate)
− Logging, logging, and more logging
• Centralized logging solution in addition to audit records in EMR system
20
Guidance on Mobile Device
Security • Highlights:
− USB Sticks • Disallow devices completely; or
• Require encryption for any device inserted into corporate network.
• Include rules and guidelines in mobile device policy, information security policy, and/or HR manual
• Control autoruns via enterprise-wide policy
− Physically secure removable devices attached to systems (i.e. external hard drives)
• Often stolen, resulting in breach notification and OCR involvement
21
Guidance on Mobile Device
Security • Solutions
− Policies – BYOD Policy, Mobile Device Policy, Remote Access Policy
− User mobile device agreements – HIMSS has examples
− Technical solutions • Mobile Device Management / Data Loss Prevention
• Secure Profiles/Certificates for access to systems with PHI
• Network Access Control (for ingress)
• Mobile antivirus
• Encryption
− User education
− Constitute security and privacy team, or at least identify person responsible, or engage outside consultants when personnel, technology, or time are limiting factors
22
Guidance on Mobile Device
Security
• Solutions
−Ensure understanding of risks at all levels of
management
−Pretty policies that aren’t followed won’t do you
any good
−Risk management through cyber liability
insurance
• Coverage of OCR fines?
23 Source: https://www.campussafetymagazine.com/hospital/
21st-century-oncology-cyber-insurer-beazley-hipaa/
Guidance on Mobile Device
Security • Ultimate Questions
− What documentation do you have to show you analyzed and addressed the risks, if OCR or DHS comes knocking?
• Common allegation in association with OCR enforcement actions involving mobile devices – no risk analysis, no risk management, failure to address the easy issues (encryption)
− For HIPAA Security Rule requirements that are addressable, what risk mitigation strategies have you used, and are they reasonable?
− Can you show reasonable technical security measures? • Following HHS and/or NIST guidance = higher likelihood
your implementation = reasonable. But, following NIST not a guarantee.
24
Guidance on Mobile Device
Security – Vendors/BAs • How are you mitigating risks associated with vendors’
use of mobile devices, or mobile devices that are integrated with systems you use?
− Vendor risk management • Questionnaires
− BAAs
− Code review
− Additional contractual provisions concerning data security
25
Social Media!
26
Social Media Risks
• Security Risks − Facebook, Twitter, Instagram, LinkedIn are breeding grounds for
malicious actors • Bleed over to CE’s systems
− Shortened links prevent review of landing website
− Use of same password on social media and company systems
− Security of organization’s official or affiliated social media accounts • Who has password?
• How are messages vetted?
• Two-factor authentication?
− Impersonation or account takeover
27
Social Media Risks
• Privacy Risks − Disclosure of PHI/Confidential Information
• Pictures/Videos – Twitter, Instagram, Snapchat, Facebook, etc.
• Postings – Twitter, Instagram, Snapchat, blogs, LinkedIn, online reviews
− Location leakage • Patient located at X hospital, because nurse tweeted
• Geotagged photos
− Friending patients
28
Social Media Risks
• HIPAA-specific issues regarding patient communications via social media/mobile communication
− Was patient consent obtained for communication involving PHI via Social Media, text messages, or iMessages (or e-mail?)
− Are those communications secure?
− Was patient warned of risks of communication
medium?
− Who else can see the PHI?
29
Social Media Risks
• Other Risks to CE
− Reputation of organization
− Unauthorized endorsements on behalf of organization
− Disclosure or leakage of confidential information
• Salaries, IT security measures, financials, trade secrets, etc.
− Are postings/communications/pictures/videos part of EHR?
30
Social Media Risks (Legal)
• HIPAA Privacy and Security Rules
• Licensing Regulations
• State data privacy laws
• Various torts, including four foundational privacy torts
• Employer vicariously liable – respondeat superior
• Negligent hiring or supervision
• Discrimination, retaliation, harassment
31
Social Media Risks (Legal)
• OCR enforcement, if violation involves breach of PHI
− Do you have a social media policy?
− Does the policy, or another policy provide for
employee sanctions for violations of policy?
− How do you determine a breach of PHI via social
media?
− Social media risk management strategies?
32
Examples of Social Media Fails
33 Source: https://www.law360.com/articles/823957/
nurse-s-gory-tweets-leave-privacy-attys-gobsmacked
Examples of Social Media Fails
34
Examples of Social Media Fails
35
Examples of Social Media Fails
36
• Allegations − Tweeted image of ER room involved in treating
shooting victim who ultimately died
• Claims − Intentional Infliction of Emotional Distress, Institutional
Negligence, for lack of social media policy
− Reckless conduct
• Provider and nurse ultimately win lawsuit, but reputational damage is done
Examples of Social Media Fails
37
• Court also states:
Examples of Social Media Fails
38 Source: https://www.propublica.org/article/
nursing-home-workers-share-explicit-photos-of-residents-on-snapchat
Examples of Social Media Fails
39 Source: https://www.propublica.org/article/
nursing-home-workers-still-posting-nude-vulgar-photos-residents-on-snapchat
Examples of Social Media Fails
40 Source: https://www.propublica.org/article/
inappropriate-social-media-posts-by-nursing-home-workers-detailed-1
Examples of Social Media Fails
41 Source: http://www.cnn.com/2017/09/15/health/
upmc-denver-patient-genitals/index.html
Examples of Social Media Fails
42 Source: https://nypost.com/2014/07/08/
new-york-med-nurse-katie-duke-fired-for-insensitive-instagram-shot/
Tweeted: “Man v. 6 train . . . The After.
#lifesaving #EMS #NYC #Nurses
#Doctors #nymed #trauma #realLife”
Examples of Social Media Fails
43 Source: https://www.propublica.org/article/
stung-by-yelp-reviews-health-providers-spill-patient-secrets
Social Media Risk Mitigation
• User training about proper use of social media and security/privacy concerns
− Take home message: DO NOT disclose PHI. Period. (Exception for messaging with patient consent, but even then must be careful and warn patient of risks)
− Maintain records of training
• Monitoring of social media by CE/employer in a legal and responsible way
− No direct access to employee accounts
− No monitoring without warning employees they have no reasonable expectation of privacy (do in Acceptable Use Policy)
− Do not ask for passwords
− Do not friend under false pretenses, or access private info
44
Social Media Risk Mitigation
• Implement a Social Media Policy and consider having employees sign a Social Media Agreement
− Have counsel assist you with policy, to ensure it is in conformity with NLRB rulings
• Must not restrict employees’ ability to engage in concerted activity, or to discuss, wages, hours, etc.
− Establish permissible uses
− No speaking on behalf of organization, unless specifically granted, and include disclaimer or disclosure of relationship
− No disclosure of PHI or Confidential Information
− No pictures/videos/graphics that could disclose PHI
45
Social Media Risk Mitigation
• Social Media Policy (cont.) − No violations of law (HIPAA, privacy, data security,
DMCA, harassment (sexual, or otherwise), discrimination)
− Right of employer to monitor social media
− Whether employer discourages friending patients or supervisors/managers
− Use of logos/trademarks in social media accounts
− Repercussions (in policy or in employee handbook)
46
Social Media Risk Mitigation
• Keep in mind various social media contexts, and draft policy accordingly
− Personal social media account off-work hours • Most legal protection for employee
− Personal social media account during work hours
− Personal social media account during work hours on company-owned device
• Ban?
• Prevent use through MDM, firewall, or other technical measure
− Company or affiliated social media account • Most strenuous restrictions
− Have counsel assist with any decisions to take action based on violation of social media policy, to ensure permissible purpose
47
Conclusion
• The first step is to identify the risks in your environment, with: − Mobile Devices
− Social Media
• Establish risk mitigation strategies and implement required controls under HIPAA Security Rule, and implement reasonable measures for addressable security requirements
• Establish Social Media Policy in consultation with counsel
• Educate mobile device and social media users on myriad risks − Privacy
− Security
− Liability
− Repercussions
48
The presentation and materials are intended to provide information on legal issues and should not be construed as legal advice. In addition, attendance at a Godfrey & Kahn, S.C.
presentation does not create an attorney-client relationship. Please consult the speaker if you have any questions concerning the information discussed during this seminar.
OFFICES IN MILWAUKEE, MADISON, WAUKESHA, GREEN BAY AND APPLETON, WISCONSIN
AND WASHINGTON, D.C.
OFFICES IN MILWAUKEE, MADISON, WAUKESHA, GREEN BAY AND APPLETON, WISCONSIN
AND WASHINGTON, D.C.
Thank You
Any Questions?
49